Forum Discussion

Spark Zhang's avatar
Spark Zhang
Brass Contributor
Jun 05, 2023

Web content filtering and indicator aren't working on third party browser

Hi, we have just noticed that web content filtering and customized indicators are not working on third party browsers after upgraded defender for endpoint to 4.18.23050.3, the issue has happened to b...
CG2025's avatar
CG2025
Copper Contributor
Jun 03, 2025

I have the same issue, moved to 365 web filter which is great and works very well with all our other cloud services from MS 

But all of a sudden it has stopped working in Chrome, it was working when we implemented it about a year ago as it was fully tested on Edge and Chrome (the only 2 browsers we use)

We have moved our Firewall to UniFi and while testing out their NEXT AI tools I have noticed that the web filter isn't working in Chrome.

365 has some control over Chrome, if you access ****hub it gets blocked by defender protection (not web filter)
If you access SkyBet on Edge it is blocked for Web Content Filter under Gambling but allows you straight on with Chrome

The fact defender can protect Chrome but not the Web Filter feels like MS have just given up and not bothered if it works or not. Further pushing the MS or nothing route (use Edge will be their verified and official fix I reckon) 

MarkA-G's avatar
MarkA-G
Brass Contributor
Jun 03, 2025

We're having trouble with Mac's at the moment and it's largely due to browsers having implemented ECH by default, and QUIC, ECH obfuscates the domain which is what the web filtering is based on. IP Network Protection probably still works but anything domain based where ECH is used won't. We're also finding the protection is inconsistent, likely because ECH falls back if it doesn't work and then the domain can be seen and blocked. So even if you block QUIC at firewall unless you explicitly configure the browsers to disable ECH and QUIC and don't allow the users to override, then when the users go home they can be unprotected.

  • CG2025's avatar
    CG2025
    Copper Contributor
    Jun 04, 2025

    I have managed to disable QUIC on Chrome and Edge for all users but still have the issue with Chrome, is it possible to disable ECH? Funny how MS implement blocking QUIC into their secure score and recommendations yet they can't get the web filter to work on Chrome...

    We moved away from our Firewall doing web filtering for the pure reason people we're not protected at home... but now if they use Chrome they bypass all protection anyway.. feels like a somewhat step backwards 

    • MarkA-G's avatar
      MarkA-G
      Brass Contributor
      Jun 04, 2025

      Yep, for GPO you'll need to use the latest ADMX or ADML file and the field is "EncryptedClientHelloEnabled", for intune it's in administrative templates


      Enable TLS Encrypted ClientHello | Device

      For Macs I believe you have to update the plist manifest values for:
      EncryptedClientHelloEnabled
      QuicAllowed
      I'm no expert on Macs though.
       
      • CG2025's avatar
        CG2025
        Copper Contributor
        Jun 05, 2025

        Tested this to no avail!

        Disables ECH and QUIC, reboot etc... the chrome:policy and Chrome:flags both show QUIC and ECH disabled yet the filter does not work. 

        Ensured history was cleared and but still no luck, works flawless on edge just nothing on Chrome 

Resources